[OOZIE-2538] Update HttpClient versions to close security vulnerabilities - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.3.0
Component/s: core
Labels:
None

Description

We learned that

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

Also, Commons HttpClient project is now end of life, and is no longer being developed. It has been replaced by the Apache HttpComponents project in its HttpClient and HttpCore modules, which offer better performance and more flexibility. http://hc.apache.org/httpclient-3.x/

Hence, HttpClient version should be updated.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OOZIE-2538.patch
26/May/16 08:46
4 kB
Abhishek Bafna
OOZIE-2538-01.patch
08/Aug/16 05:27
5 kB
Abhishek Bafna
OOZIE-2538-02.patch
16/Sep/16 13:56
4 kB
Abhishek Bafna
OOZIE-2538-03.patch
17/Sep/16 02:08
5 kB
Abhishek Bafna

Issue Links

breaks

OOZIE-2679 Decrease HttpClient library versions due to Hadoop incompatibility

Closed

is related to

OOZIE-2676 Make hadoop-2 as the default profile

Closed

links to

Review Board Link

Activity

People

Assignee:: Abhishek Bafna

Reporter:: Abhishek Bafna

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 26/May/16 04:05

Updated:: 02/Dec/16 21:03

Resolved:: 17/Sep/16 18:40